This was a really fun webcast I had the pleasure of listening in on; featuring Mike Murry, Chris Nickerson, and Don Donzal from EH.NET.
Chris is really pumped about working on the SE Masterclass with Mike. They are both huge resources in the SE community and they are setting the bar impossibly high for this class.
The info:
In this 1-hour webcast, you'll be taken on a whirlwind adventure back to the days of the first charlatan, forward to the dawn of the Internet and smack dab into the present where these two topics are merging to form the most effective attacks to date.
Topics include:
-Brief history
-How do I utilize recon data in a SE attack
-Highly effective client-side attacks combining SE with exploit frameworks like Core IMPACT & Metasploit
-Business value in adding SE to your pen testing efforts
-How to learn what they know
It has become imperative to assemble a world-class team of experts to train professionals on the technologies and methods of the most dangerous and costly attackers, social engineers. ChicagoCon has responded with the first ever offering of the Social Engineering Master Class, developed and taught by Mike and Chris from May 4 - 8, 2009.
For more information, please visit www.chicagocon.com/2009s/semasterclass.html.
If you are looking for a class to show you a new way to ask for a password or silly parlor tricks to mess with someone's head, then this course is not for you! If, however, you desire to uncover advanced level material of both a technical and psychological manner, and learn the repeatable methods to gather intelligence, execute attacks, manipulate situations, and formally track a company's susceptibility to social engineering... and be able to mess with someone's head, then there simply is no other course like this in the world.
Two additional announcements:
- After the live event, come right back to this thread to talk to Chris and Mike.- A coupon code for a huge discount to the Social Engineering Master Class at ChicagoCon 2009s will be shown during the webcast. Don't miss it!!
HERE IT IS!
http://www.ethicalhacker.net/content/view/242/2/
If you want to ask questions or make comments about the class, we have opened up a thread on EH net to keep the interaction going:
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,3616.0/
Friday, March 13, 2009
Back in the Game
When it rains, it pours!
Been living off caffeine because I have so much going on right now. Along with my latest venture managing accounts for Lares (www.lares.com), I am officially back in the music game...albeit in a more limited capacity than before.
Tourian Music Group - originally founded to market and promote DJ Scratchator of the Flipmode Squad - recently evolved in a very positive way. J.P. Morgan 'GRRIM,' who started out as the Global Marketing Director for DJ Scratchator, has recently accepted the opportunity to work with Busta Rhymes as his International Booking Agent.
We are currently in talks with some sponsors about a US Tour with various artists, and are hoping to donate a significant portion of the proceeds to support battered women & children. If this works out...it will be very beneficial to all parties involved.
Very exciting stuff...and more details to come when I have them!
Okay...back to work!
Been living off caffeine because I have so much going on right now. Along with my latest venture managing accounts for Lares (www.lares.com), I am officially back in the music game...albeit in a more limited capacity than before.
Tourian Music Group - originally founded to market and promote DJ Scratchator of the Flipmode Squad - recently evolved in a very positive way. J.P. Morgan 'GRRIM,' who started out as the Global Marketing Director for DJ Scratchator, has recently accepted the opportunity to work with Busta Rhymes as his International Booking Agent.
We are currently in talks with some sponsors about a US Tour with various artists, and are hoping to donate a significant portion of the proceeds to support battered women & children. If this works out...it will be very beneficial to all parties involved.
Very exciting stuff...and more details to come when I have them!
Okay...back to work!
Sunday, March 8, 2009
Ski Lift Advice
On Saturday, I was invited to work an event for SOBE Life Water at a teeny, tiny ski hill here in CT. The chance to strap on my snowboard and hit any kind of slopes, for free, while promoting a decent product is always hard to pass up...but especially when it is so warm out that I was able to snowboard all day in a t-shirt!
So off I went...and it was a very fun day. While boarding, I wound up on the ski lift with a member of the hill's ski patrol. I am not an introvert, so quickly struck up a conversation with the older gentleman. He inquired about my t-shirt which gave away the fact that I was working the SOBE promotion on the hill. I told him how I work weekends for a promotional event company for "fun" money. After that, I explained how I work from home full-time, and recently took on my first venture into the sales field with Lares.
I told him how intimidated I was to get into a fully commission-based income, and he simply agreed and said, "Yeah...you don't sell...you don't eat."
We had a chuckle and then I, in the natural flow of conversation, asked what he did for a living. He smirked and said, "I'm a sales manager for a plumbing distributor."
It was a very funny moment, but he immediately started telling me about his 35 years in the business and how selling a product is really not about the product at all...Although you have to KNOW your product, he said, it's about selling yourself.
This is a very quality piece of free advice that I plan to take with me into my ventures with Chris Nickerson's company.
So off I went...and it was a very fun day. While boarding, I wound up on the ski lift with a member of the hill's ski patrol. I am not an introvert, so quickly struck up a conversation with the older gentleman. He inquired about my t-shirt which gave away the fact that I was working the SOBE promotion on the hill. I told him how I work weekends for a promotional event company for "fun" money. After that, I explained how I work from home full-time, and recently took on my first venture into the sales field with Lares.
I told him how intimidated I was to get into a fully commission-based income, and he simply agreed and said, "Yeah...you don't sell...you don't eat."
We had a chuckle and then I, in the natural flow of conversation, asked what he did for a living. He smirked and said, "I'm a sales manager for a plumbing distributor."
It was a very funny moment, but he immediately started telling me about his 35 years in the business and how selling a product is really not about the product at all...Although you have to KNOW your product, he said, it's about selling yourself.
This is a very quality piece of free advice that I plan to take with me into my ventures with Chris Nickerson's company.
Thursday, March 5, 2009
Social Engineering...not just for Pen Tests anymore!
I never enjoy receiving sales calls from anyone, especially Telemarketers. I have signed up for the National DO NOT CALL gimmick, but still receive intrusive phone calls...ON MY CELL PHONE...at least once a day.
From my previous posts, you know that I recently took on an exciting new position as an Account Executive for Chris Nickerson's security consulting company, Lares (http://www.lares.com/).
Yesterday I asked myself, aloud (c'mon...I work at home ALONE all day), "how much of a pain in the 'you-know-what' am I being while making prospecting calls to companies???"
It's kind of a nuisance for all parties involved; I literally have to social engineer my way past customer service reps, administrative assistants, dogs, bees, and dogs with bees in their mouths so when they bark they shoot bees (I love the Simpsons...and I digress) just to get to speak with a generally disinterested person on the other end of the phone who is most likely too busy to talk with me in the first place, or not the person I need to speak with anyway.
I will continue my verbal quest to show people the potential returns on their investment in preventative security measures, but will definitely be implementing a few new strategeies to build my account network.
I'll keep you posted and will let you know if I take over the classes for Dale Carnegie.
From my previous posts, you know that I recently took on an exciting new position as an Account Executive for Chris Nickerson's security consulting company, Lares (http://www.lares.com/).
Yesterday I asked myself, aloud (c'mon...I work at home ALONE all day), "how much of a pain in the 'you-know-what' am I being while making prospecting calls to companies???"
It's kind of a nuisance for all parties involved; I literally have to social engineer my way past customer service reps, administrative assistants, dogs, bees, and dogs with bees in their mouths so when they bark they shoot bees (I love the Simpsons...and I digress) just to get to speak with a generally disinterested person on the other end of the phone who is most likely too busy to talk with me in the first place, or not the person I need to speak with anyway.
I will continue my verbal quest to show people the potential returns on their investment in preventative security measures, but will definitely be implementing a few new strategeies to build my account network.
I'll keep you posted and will let you know if I take over the classes for Dale Carnegie.
Wednesday, March 4, 2009
Outsider/Contractor Best Security Practices
originally written by Chris Nickerson*
Edited by me.
1. Corporate Email access to contractors:
Not sure why in ANY situation a particular contractor working at the location would need this address. Their mail functions should work fin to facilitate all they need. If you are 1099'ing a contractor to "white label" as your company, you'd definitely want them to look and feel like a w-2 employee where email would be important and would grant access to it (albeit limited).
2. Internet access:
Should be on the corporate network or provided via a dedicated network. Well...assuming your accountability as high, it would be easier to grant separate or proxied access to the net. Even if a single point of failure or choke point (which would not be an issue, given that you have zero priority to availability) would lend the most functional ability to make suers accountable for their traffic and increase the overall confidentiality of the data if the right DLP/ Content Filtering controls were in place for egress and ingress.
3. Network access to corporate or a separate DMZ for Contractors:
This really depends on what the contractor is doing. I am a big fan of the "you get nothing until you can justify WHY you need it" policy. If they are supposed to be scanning or testing from the perspective of an internal user, then they should probably have access. If they are doing your taxes, on the other hand, tell them to use their 3g card to get on the net.
4. Directory accounts(AD accounts for contractors):
Again, It should be based on need. Most do not need an account. Sneakerware, email, USB - all using encryption - should be just fine to get what the contractor needs to get the job done. However, if they are supposed to audit many configurations, fix a server, or do other Administrative tasks, you will "probably need to give them access." My advice in this instance is to LOG EVERYTHING THEY DO!!!! And I mean EVERYTHING. Got it? Say it with me now...EVVVV - REEEE - THIIIING. Okay...I'll move on. everything
5. Methods of Ensuring accountability at the end of project cycle by the contractors:
Removable drive access, email, and web to ensure they abide by the NDA signed. I make my consultants save ALL work onto an encrypted USB drive. At the end of a project's delivery stage, the client can choose to either immediately destroy, or allow us to follow our 90-day client data destruction guidelines. In reality, all these questions come down to the level of sophistication, process, and methodology used by your contractors. They should ALL have data destruction, data privacy, data handling, reporting, 3-rd party user access control, project requirement, and NDA agreements/methodologies that are followed and are able to be audited by you (the customer). If they don't have these documents, and follow them on a regular basis, it's not a repeatable process and they will gladly "wing it" to get your business. I have MSA, DATA PRIVACY, and Master Service Agreements signed for all clients concerned with the all of the areas listed above.
*Information provided with express permission to publish on blogger.com by:
Chris Nickerson [CISSP,CISA,IAM,17799,CCNA,MCSE]
Founder and CEO
Lares Consulting
(C): (720) 217-3087
cnickerson@laresconsulting.com
Edited by me.
1. Corporate Email access to contractors:
Not sure why in ANY situation a particular contractor working at the location would need this address. Their mail functions should work fin to facilitate all they need. If you are 1099'ing a contractor to "white label" as your company, you'd definitely want them to look and feel like a w-2 employee where email would be important and would grant access to it (albeit limited).
2. Internet access:
Should be on the corporate network or provided via a dedicated network. Well...assuming your accountability as high, it would be easier to grant separate or proxied access to the net. Even if a single point of failure or choke point (which would not be an issue, given that you have zero priority to availability) would lend the most functional ability to make suers accountable for their traffic and increase the overall confidentiality of the data if the right DLP/ Content Filtering controls were in place for egress and ingress.
3. Network access to corporate or a separate DMZ for Contractors:
This really depends on what the contractor is doing. I am a big fan of the "you get nothing until you can justify WHY you need it" policy. If they are supposed to be scanning or testing from the perspective of an internal user, then they should probably have access. If they are doing your taxes, on the other hand, tell them to use their 3g card to get on the net.
4. Directory accounts(AD accounts for contractors):
Again, It should be based on need. Most do not need an account. Sneakerware, email, USB - all using encryption - should be just fine to get what the contractor needs to get the job done. However, if they are supposed to audit many configurations, fix a server, or do other Administrative tasks, you will "probably need to give them access." My advice in this instance is to LOG EVERYTHING THEY DO!!!! And I mean EVERYTHING. Got it? Say it with me now...EVVVV - REEEE - THIIIING. Okay...I'll move on. everything
5. Methods of Ensuring accountability at the end of project cycle by the contractors:
Removable drive access, email, and web to ensure they abide by the NDA signed. I make my consultants save ALL work onto an encrypted USB drive. At the end of a project's delivery stage, the client can choose to either immediately destroy, or allow us to follow our 90-day client data destruction guidelines. In reality, all these questions come down to the level of sophistication, process, and methodology used by your contractors. They should ALL have data destruction, data privacy, data handling, reporting, 3-rd party user access control, project requirement, and NDA agreements/methodologies that are followed and are able to be audited by you (the customer). If they don't have these documents, and follow them on a regular basis, it's not a repeatable process and they will gladly "wing it" to get your business. I have MSA, DATA PRIVACY, and Master Service Agreements signed for all clients concerned with the all of the areas listed above.
*Information provided with express permission to publish on blogger.com by:
Chris Nickerson [CISSP,CISA,IAM,17799,CCNA,MCSE]
Founder and CEO
Lares Consulting
(C): (720) 217-3087
cnickerson@laresconsulting.com
Tuesday, March 3, 2009
How the heck did I get here???
In January 2009, Chris Nickerson - Founder and CEO of Lares (http://www.lares.com/) - offered me the opportunity to make his company's first outbound sales inquires...via phone, email, Twitter, Facebook, LinkedIn, and however else I could manage to build the buzz about his company.
So how come I got this opportunity??? Hope you have a few minutes!
Chris and I grew up in a suburban town in Eastern Connecticut and spent our time "social engineering" our way past the adults at the local, ritzy swim-clubs so we could use the tennis courts and pools on blistering summer days. It was no surprise to me when, after departing for the greener pastures of Kansas City, Chris was quick to embark on a career path in the information security industry. From his time spent working as a Security Architect for Sprint to the day he decided to begin his own security consulting company, Chris has quickly become a pioneer and a leading authority in the industry.
As for me...I certainly went a less conventional route to the position I am in now as an Account Executive for Lares. In High School, I generally skated by on personality and charm, with the occasional half-assed completion of a homework assignment. I learned the hard way that this approach did not work at the collegiate level. With a one-point-something grade point average after three semesters, it was pretty evident that I had some real learning to do.
I was lucky to have an Uncle who worked in middle-management at a Hartford-based insurance company so, with his assistance, I ventured into my first insurance company cubicle job. It was fantastic! I was 19 years old and making good money for a relatively easy job.
But after about a year, I was losing interest and started to skate by on personality with a little bit of bullshit sprinkled on top. I quickly found myself a 21 year-old who was stuck in a cubicle with no advancement opportunities and, even worse, no motivation...So I decided to try something new and exciting.
I signed 'the dotted line' on August 7, 2001. A little over a MONTH before 9/11 occurred. The Army National Guard was my route to a tuition-free college education, but everything changed after that. 6 years (and 2 active duty tours) later, I found myself wondering, again, what the heck to do when I grow up...
Humble pie can actually taste pretty effing good when you swallow it with a big ol' glass of pride. I spent a couple of years after leaving the National Guard doing a lot of soul searching, using my benefits as a Veteran to attend college again, doing odd jobs, begging, borrowing, and stealing (don't worry...it's just a figure of speech). After all that, I wound up in that cubicle environment again, only this time with a much brighter outlook. This lead to the opportunity to work full-time from home....which is where this story is being written right now. If not for this opportunity with my full-time job, I wouldn't have had the liberty to say yes to what occurred next...
Chris Nickerson and I have stayed in touch since he moved to Kansas our Junior year of High School, so it was no surprise when I received a text message from him on New Year's Day. Only this time his inquiry was a little different in nature;
"Wut r u doin nxt week?" he inquired.
Figuring his work was bringing him to the East Coast - which usually leads to us drinking heavily in New York City on a work night - I responded with a quick, "Hanging with you?"
He promptly shot back, "flying u to Vegas...got a job opp 4 u"
And so he did. We spent the week of CES discussing what types of services his company offered and I was immediately hooked. How could I not be excited about working to create a buzz about products and services that seem to come right out of a movie (Sneakers - starring Robert Redford - comes immediately to mind)!!???!!???
I am not yet a learned member of the information security industry...but with the guidance of Chris and the other experts at Lares, I have a feeling I will not be venturing into other endeavors any time soon. And I will be lame and take this opportunity to thank everyone for getting me where I am today. I just can't wait to give it all back.
Thanks for reading this excerpt...until next time (don't worry...there will be some information on social engineering, infosec, etc...)
So how come I got this opportunity??? Hope you have a few minutes!
Chris and I grew up in a suburban town in Eastern Connecticut and spent our time "social engineering" our way past the adults at the local, ritzy swim-clubs so we could use the tennis courts and pools on blistering summer days. It was no surprise to me when, after departing for the greener pastures of Kansas City, Chris was quick to embark on a career path in the information security industry. From his time spent working as a Security Architect for Sprint to the day he decided to begin his own security consulting company, Chris has quickly become a pioneer and a leading authority in the industry.
As for me...I certainly went a less conventional route to the position I am in now as an Account Executive for Lares. In High School, I generally skated by on personality and charm, with the occasional half-assed completion of a homework assignment. I learned the hard way that this approach did not work at the collegiate level. With a one-point-something grade point average after three semesters, it was pretty evident that I had some real learning to do.
I was lucky to have an Uncle who worked in middle-management at a Hartford-based insurance company so, with his assistance, I ventured into my first insurance company cubicle job. It was fantastic! I was 19 years old and making good money for a relatively easy job.
But after about a year, I was losing interest and started to skate by on personality with a little bit of bullshit sprinkled on top. I quickly found myself a 21 year-old who was stuck in a cubicle with no advancement opportunities and, even worse, no motivation...So I decided to try something new and exciting.
I signed 'the dotted line' on August 7, 2001. A little over a MONTH before 9/11 occurred. The Army National Guard was my route to a tuition-free college education, but everything changed after that. 6 years (and 2 active duty tours) later, I found myself wondering, again, what the heck to do when I grow up...
Humble pie can actually taste pretty effing good when you swallow it with a big ol' glass of pride. I spent a couple of years after leaving the National Guard doing a lot of soul searching, using my benefits as a Veteran to attend college again, doing odd jobs, begging, borrowing, and stealing (don't worry...it's just a figure of speech). After all that, I wound up in that cubicle environment again, only this time with a much brighter outlook. This lead to the opportunity to work full-time from home....which is where this story is being written right now. If not for this opportunity with my full-time job, I wouldn't have had the liberty to say yes to what occurred next...
Chris Nickerson and I have stayed in touch since he moved to Kansas our Junior year of High School, so it was no surprise when I received a text message from him on New Year's Day. Only this time his inquiry was a little different in nature;
"Wut r u doin nxt week?" he inquired.
Figuring his work was bringing him to the East Coast - which usually leads to us drinking heavily in New York City on a work night - I responded with a quick, "Hanging with you?"
He promptly shot back, "flying u to Vegas...got a job opp 4 u"
And so he did. We spent the week of CES discussing what types of services his company offered and I was immediately hooked. How could I not be excited about working to create a buzz about products and services that seem to come right out of a movie (Sneakers - starring Robert Redford - comes immediately to mind)!!???!!???
I am not yet a learned member of the information security industry...but with the guidance of Chris and the other experts at Lares, I have a feeling I will not be venturing into other endeavors any time soon. And I will be lame and take this opportunity to thank everyone for getting me where I am today. I just can't wait to give it all back.
Thanks for reading this excerpt...until next time (don't worry...there will be some information on social engineering, infosec, etc...)
Subscribe to:
Posts (Atom)
